Responder is a well-known tool used by many penetration testers since its release. In case you are not familiar with Responder, it is a suite of hash capturing NTLMSSP servers which use LLMNR/NBNS to trick clients on a network to connect to them. If you want to read about using the basics of Responder you should check out the usage section at the bottom of the README here: https://github.com/lgandx/Responder. This article will not cover the basic usage of Responder in a comprehensive manner; instead we will be aiming to look at expanding penetration testers' knowledge of the tool beyond basic command line switches by exposing you to tools and flags/switches you may not have used before. Step by step guides will not be included in this article, however; recommended guides will be linked to.
A second, more advanced, article
is planned to be released a week after this article. When it is, it will be linked to here. That
article will discuss the adaption of Responder to your network environment for
the purpose of releasing Responder's full potential.
Thinking About Responder in a Different Light
Responder is one of those tools that we take for granted as
performing a niche attack. Like many other tools, it tends to be used with a
copy and pasted command or otherwise with limited knowledge of its true
potential. Instead of thinking about Responder as an inflexible niche tool
designed to achieve one goal, you should think about how you can leverage the
victim's network against them. For example, a writeable SMB share without
administrator permissions can be turned into an Empire shell on the domain
controller with ease.
The following sections will cover each of the different ways
we can extend Responder's functionality and truly conquer the target network
using just the tools provided. The next article will expand upon this further,
and show you how you can use Responder alongside other tools and your own
creations to execute attacks like the SMB scenario presented above.
Tips and Tricks
·
Responder is capable of performing recon of a
network drastically quieter than a port scanner. If for some reason you are
unable to run nmap on the network (such as an aggressive IDS is present),
Responder could help you map the network. Using either the –A or –f flags in
Responder you can gather a good amount of information on workstations and SMB
servers on the network. The RunFinger.py and FindSQLSrv.py tools can be used to
discover SMB and MS-SQL servers on the network.
·
The configuration file in Responder is more
useful than you might initially think. Inside this file you can customise
several options which will ensure you stay within scope on your test. In
addition to this, you can deliver executable files, custom HTML or a custom WPAD
script. For example; Empire launcher executables can be delivered by the HTTP
module using the custom executable option.
·
The hash files found in logs that are formatted
as <Capture Module>-NTLMv2-<Victim IP> can be used directly with
John for ease of use. They do, however, generally contain duplicates. The Linux
file match expression *-*-* can be used to easily select all of these files and
run them all through John at once.
·
The most effective method for grabbing hashes on
the network is with the WPAD module. If you aren't familiar with WPAD, WPAD is
the Web Proxy Auto-Discovery Protocol which is used to automatically configure
browser proxy settings. If an entry for WPAD does not exist in the victim
network's DNS server, then you may be able to exploit this. To use this, ensure
the HTTP module is enabled in Responder and then run Responder with the –rwFP
options.
The Tools Directory
Responder comes bundled with some useful tools, these can be
found in the directory named "tools". The most interesting and useful
of these tools is likely MultiRelay, and as such it is the main tool we will
discuss.
MultiRelay
MultiRelay is a tool capable of passing hashes from two
different Responder servers, SMB and HTTP. On its original release MultiRelay
was called SMBRelay and could only pass NetNTLM hashes acquired by Responder's
SMB servers. MultiRelay v2 can now support the capture of NetNTLM hashes via
HTTP WEBDAV. If you have SMBRelay instead of MultiRelay you are likely using an
old copy or have downloaded Responder from the old repository. There is a newer
repository hosted by lgandx and not SpiderLabs. You can find it here: https://github.com/lgandx/Responder.
A Windows version of Responder built in PowerShell can also be found here: https://github.com/lgandx/Responder-Windows.
This can be useful for pivoting from a compromised Windows machine on a remote
test.
To use MultiRelay, you will need to edit the Responder
config file to turn off the services you want to run through MultiRelay. I
would recommend turning off both if you are simply looking to maximise
effectiveness, if you are targeting a specific service rather than casting a
broad net you could turn off all un-needed servers and only target a specific
victim IP.
Once you have turned off the relevant modules in the
Responder config file, you will need to start the main Responder tool followed
by the MultiRelay tool. If you receive any error messages from MultiRelay
claiming that HTTP or SMB services have failed to start you have not disabled
the respective options in the Responder config correctly. MultiRelay will also
check the network to determine if SMB signing is on or off, if SMB signing is
on then MultiRelay will not function. The section below titled The Rest covers
a useful tool you can use to check for SMB signing on a domain.
MultiRelay has a few different options; the only options
that matter for basic usage of the program are the user flag and the target
flag. The target should be set to the SMB server you wish to exploit, Domain
Controllers have signing turned on for their SMB shares by default so they
generally are not a good target. The user flag should be set to ALL if you are
unsure of what the Admin's usernames are or you can specify users in a space
separated list if you know who has admin rights on the targeted SMB server. The
only other flag you will use regularly is the command flag. By default
MultiRelay will place a shell somewhat similar to Meterpreter on the target
system which you can use to execute basic commands and modules like mimikatz.
You can expand this functionality yourself by providing a custom command, such
as the multi/launcher output from Empire. By providing an Empire launcher you
can effectively spread your Empire agents across a network using Responder.
For a step by step guide on utilising MultiRelay basics and
using an Empire Launcher I recommend reading this article: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html.
Example Usage: Multirelay.py –u ALL –t <target IP>
The Rest
In addition to MultiRelay Responder comes bundled with a
small collection of recon and exploit tools.
BrowserListener is a tool which listens for browser
announcements on Windows domains/workgroups from SMB servers. This is a useful
plugin, but seems to be made redundant by Responder's analyse mode which does a
better job of the same thing. Should you need to perform recon of a network
silently or are interested in identifying SMB shares on the network, this tool
or the analysis mode for the main tool could be useful. Whilst this tool is
theoretically useful, I have never been able to get it to work on Windows 7 and
10 victims. I would recommend the –A mode for the main tool instead.
Example Usage: This tool doesn't have any arguments, just
run it! The image below shows the error encountered when a Windows 10 client
sends a Browser announcement.
DHCP and DHCP_Auto are exploit tools designed to exploit a
flaw in the DHCP implementation of Windows XP, Windows 2000 and Server 2003. If
you are on a network with these servers then you can use DHCP Inform takeover
through the DHCP.py and DHCP_Auto.sh files. A much noisier and less effective
version is accessible via the –R switch; this is capable of exploiting Vista
and above in theory. The arguments for the python file can be identified with
–h and the shell file should fill these arguments for you automatically. For
the sake of scope and safety I would recommend configuring the parameters
yourself, there is always the chance the automated option may choose an
incorrect network or similar. This tool will only work on a heavily unpatched
network.
Example Usage: DHCP.py –I <interface> -d
<domain> -r <new router> -p <primary DNS> -s <secondary
DNS> -R
The FindSMB2UpTime and RunFinger tools can be used to
discover and enumerate SMB shares on the network. They can be used in much the
same way as the BrowserListener tool or the analysis mode for the main program,
however, these two tools perform an active scan of the network for SMB shares.
RunFinger can be pointed at a subnet rather than a single IP address and it
will return a list of all SMB shares on the network. The FindSQLSrv tool can be
used in a similar manner to discover MS-SQL servers on the network. This tool
does not require any parameters.
RunFinger Example Usage: RunFinger.py –I <target, can be
a subnet> (-g for grepable format)
FindSQLSrv Example Usage: This tool doesn't have any
arguments, just run it!
The ICMP—Redirect tool allows you to redirect traffic on a
network to pass through your own machine. This is an effective MITM technique;
however, it only works on Windows XP, 2003 and older. The early service packs
for XP patch this issue, which means this tool will only work on very old
infrastructures. Use the –h flag to discover the parameters, this tool is
self-explanatory.
Example Usage: Icmp-Redirect.py –I <interface> -i <your
IP> -g <gateway> -t <target> -r <destination target ag: DNS
server>
The rest of the files in the tools directory, such as
RunFingerPackets and odict are simply library files for the tools and do not
have any standalone functionality.
Summary
Responder is an excellent network exploit tool, whilst it
was originally designed to work with just LLMNR and NBNS its many in built
servers offer significant potential for use with other tools. Utilising methods
like ARP and DNS spoofing or the tools provided in the tools directory, can
expand the power of Responder beyond normal. In the next article we will
discuss some advanced methods for attacking networks with Responder, such as
the creation of malicious desktop.ini files and multiple ways which you can use
these to conquer a Windows network.
